WebSocket Vulnerability in Cline Hub Dashboard Prior to Version 3.0.30
CVE-2026-59723

8.8HIGH

Key Information:

Vendor

Cline

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59723?

Prior to version 3.0.30, the Cline Hub dashboard server allowed unauthenticated WebSocket connections on the /browser endpoint, exposing it to potential attacks. The server failed to validate the Origin header, enabling unauthorized websites to send commands that could read and manipulate workspace settings. This vulnerability posed significant risks when the ROOM_SECRET was not configured for local 127.0.0.1 bindings, allowing attackers to execute commands potentially harmful to user data and application integrity. This issue has been remediated in version 3.0.30.

Affected Version(s)

cline < 3.0.30

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.